I am seeking for method to prevent access to Wordpress admin folder "wp-admin", but also i need apache to generate 404 error (Not found) for all, but not selected IPs.
I found this post Returning 404 code for unauthorized attempts and tried Rewrite solution, but does not work for me.

So i keeping all websites in /usr/local/www/apache22/data
and tried to use such config in httpd.conf (Apache2.2 FreeBSD 9.1)

Why do you want to do this? Why isn't simply denying access (HTTP/403) for unauthorized IP addresses (which you can do with simple Allow/Deny rules) adequate?
–
voretaq7♦Sep 25 '13 at 21:26

I have been awaiting for such reply. The reason is to obfuscate bad bots trying to guess presence of Wordpress installed. So if they get 404 error then they won't try to explore for wordpress vulnerabilities.
–
DemontagerSep 26 '13 at 6:09

is it not possible to actually MOVE the wp-admin stuff? If you can just move the file/folder to a new location you get your 404, your obfuscation, and you aren't doing absolutely silly (breaking internet standards) things to do it...
–
lVlint67Sep 26 '13 at 6:18

To answer my own questions: Can't move wp-admin...easily... with that said, lets move on... WHERE have you added the above code? httpd.conf? .htaccess? is mod_rewrite reloaded and enabled in apache? have you restarted apache since you made the changes? edit the question with your responses and we will go from there.
–
lVlint67Sep 26 '13 at 6:23

I mentioned in question already where i have added rules. Sure restarted apache, mod_rewrite loaded pastebin.com/b65GhsVZ and working fine as plenty of my website using it. Regarding moving wp-admin, sure i can use bash script to rename all in one shot, but i'm curious (and actually going to use) how to accomplish this without touching core files.
–
DemontagerSep 26 '13 at 6:37

1 Answer
1

OK, First let me say that your entire premise is flawed: There are many other ways besides the presence of /wp-admin to determine that you're using Wordpress. You're attempting Security through Obscurity, and since you're not obscuring everything you aren't doing a particularly elegant job of it.

In VirtualHost context, The Pattern will initially be matched against the part of the URL after the hostname and port, and before the query string (e.g. "/app1/index.html").

In Directory and htaccess context, the Pattern will initially be matched against the filesystem path, after removing the prefix that led the server to the current RewriteRule (e.g. "app1/index.html" or "index.html" depending on where the directives are defined).

Simply put that means you need more of the path to wp-admin in your rule if you want to do this in the Directory context (like ^domain.com/wp-admin($|/)). The simple/naive fix would be to change your regex to ^.*wp-admin($|/) and just match anything that contains wp-admin (which is also a good way to verify that the rule itself is being parsed).

If you insist on pursuing this avenue of "security" though I would advise making this change in the VirtualHost context (or /wp-admin/.htaccess file) instead of in the Directory context for your whole server. It is both simpler to write and more robust. (Your current solution breaks if someone on your server DOESN'T want their wordpress admin page locked down (and there are probably a lot of people who won't -- anyone with a dynamic IP for example). Doing this in each VirtualHost or a .htaccess file allows you to keep certain sites "unlocked".)

Hope I found what i need. This works for me if below block inserted in httpd.conf context <Directory /usr/local/www/apache22/data/*/wp-admin> RewriteCond %{REMOTE_ADDR} !^77\.120\.9\.3$ RewriteRule . google.com/404.php [R=404,L] </Directory> I saw this in Rewrite redirects examples and adapted to serve 404 error, but initially it was intended to do redirection.
–
DemontagerSep 28 '13 at 16:36